shehabix
12-16-2009, 09:25 PM
Dear all I've created this function that'll check on the posted HTML and disable & strip all the harmful html tags , javascript events & objects & functions & style tags ..
Please if anyone still have something in mind that needs to be added to this let me know . . .
// Remove all the p:confused:ossible & Harmful Tags And Events . .
function safe_html($str){
$str=strip_tags($str,"<a><table><tr><td><b><strong><tbody><thead><tfoot><p><img><br><br /><div>");
// Remove all the onXXXXX events
$str=preg_replace("#on[A-Za-z]{4,}=#Uis","",$str);
// Remove any href="javascript:blablabla"
$str=preg_replace("#javascript[\s]*:[\s]*#Uis","",$str);
// Remove any posibility of document.write("<sc........")
$str=preg_replace("#document.write#Uis","",$str);
// Remove all the alerts
$str=preg_replace('#alert\(#Uis',"",$str);
// Remove rel attribute ..
$str=preg_replace('#rel=("|\'|)#Uis','',$str);
// Remove stylesheet keyword
$str=preg_replace('#stylesheet#Uis','',$str);
// Remove position style tag to avoid using absolute / fixed positions . .
$str=preg_replace('#position:[\s]*[A-Za-z]+[^A-Za-z]#Uis','',$str);
// Remove window.XXXX script
$str=preg_replace('#window\.#Uis','',$str);
// Remove location.XXXX script
$str=preg_replace('#location\.#Uis','',$str);
// Remove any remaining IFrames tag if someone found a way to keep it . .
$str=preg_replace('#<[/]*iframe#Uis','',$str);
// Remove nay remaining Script tags if someone found a way to keep it . .
$str=preg_replace('#<[/]*script#Uis','',$str);
return $str;
}
Please if anyone still have something in mind that needs to be added to this let me know . . .
// Remove all the p:confused:ossible & Harmful Tags And Events . .
function safe_html($str){
$str=strip_tags($str,"<a><table><tr><td><b><strong><tbody><thead><tfoot><p><img><br><br /><div>");
// Remove all the onXXXXX events
$str=preg_replace("#on[A-Za-z]{4,}=#Uis","",$str);
// Remove any href="javascript:blablabla"
$str=preg_replace("#javascript[\s]*:[\s]*#Uis","",$str);
// Remove any posibility of document.write("<sc........")
$str=preg_replace("#document.write#Uis","",$str);
// Remove all the alerts
$str=preg_replace('#alert\(#Uis',"",$str);
// Remove rel attribute ..
$str=preg_replace('#rel=("|\'|)#Uis','',$str);
// Remove stylesheet keyword
$str=preg_replace('#stylesheet#Uis','',$str);
// Remove position style tag to avoid using absolute / fixed positions . .
$str=preg_replace('#position:[\s]*[A-Za-z]+[^A-Za-z]#Uis','',$str);
// Remove window.XXXX script
$str=preg_replace('#window\.#Uis','',$str);
// Remove location.XXXX script
$str=preg_replace('#location\.#Uis','',$str);
// Remove any remaining IFrames tag if someone found a way to keep it . .
$str=preg_replace('#<[/]*iframe#Uis','',$str);
// Remove nay remaining Script tags if someone found a way to keep it . .
$str=preg_replace('#<[/]*script#Uis','',$str);
return $str;
}